Research Examples in Computer Forensics (Michael M. W. de Silva, 2009)

Research Examples on Computer Forensics (2009) Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK) email: [email protected] • blog: bsodmike.com • résumé: mwdesilva.com

Computer Forensics ~ Computer Science

1 INTRODUCTION

H. M. Customs and Excise have broken a smuggling ring dealing in rare and

endangered species. One of the felons was utilising a Microsoft Windows based

laptop to record details of their illegal trade and is suspected of corresponding with a

number of his co-conspirators via the laptop.

The primary objective of this research was to detail typical places in a Windows

based file system where incrimination evidence may be hidden and a discussion

regarding key technologies that may have been used for communication with his

partners and the resulting difficulties they may pose to the forensics investigators.

2 CONCEALING DATA ON A WINDOWS-BASED HARD DISK FILE SYSTEM

Microsoft Windows systems are typically found formatted in one of the following two

file systems (Mirza, 2008)xxxvii: File Allocation Table (FAT) or New Technology File

System (NTFS).

The FAT file system architecture is found as a legacy 12-bit version (FAT12), 16-bit

version (FAT16) and more commonly a 32-bit version (FAT32). The defining

characteristic of these file systems is their maximum volume size, which are 32 MB, 2

GB and 2 TB, respectively. As most modern computer have a Hard Disk Drive

(HDD) capacity of at least 1 GB, the FAT12 system is considered outdated and has

such been termed a ‘legacy’ technology.

The NTFS (also known as the ‘Windows NT File System’), introduced in July of

1993, superseded FAT as the file system of choice due to many of its inherent

improvements. The primary hiding mechanisms will be focussed upon hard drive

architecture, their basic geometry and these two file systems.


The Host Protected Area (HPA) is a reserved area that is found on some HDDs,

where Device Configuration Overlay (DCO) allows computer manufacturers and

vendors to store data in the HPA, which is protected from conventional access such as

Windows Explorer (Mirza, 2008)xxxvii. With ample knowledge on DCO and HPA, a

computer program may be developed to store sensitive data by taking advantage of

this “physical” feature. Since the availability of the HPA is limited to certain makes

and models of HDDs, it would be useful for any forensic investigator to have access

to a comprehensive database on all such brands, makes and model serial numbers

which support HPA as well as detailed information on any proprietary modifications

to the HPA or DCO methods and manufacturer supplied utilities for accessing the

information held in the HPA.

During the phase of installing Microsoft Windows, the HDD needs to be partitioned

and formatted. A partition sector, also commonly called a Master Boot Record

(MBR), is the first sector of a partitioned volume of a HDD. Although the primary

purpose of the MBR is to hold the disks partition map (primary partition table), since

the MBR only requires a single drive sector and partitions must start on the boundary

of a cylinder, the MBR will have sixty two empty sectors which are ideally suited for

storing sensitive information within this ‘free space’ (Carrier, 2005)v.

Volume Slack (VS) is defined as ‘wasted space’ as it is free space of a HDD that has

not been partitioned. It is possible to create a partition, write sensitive information to

that partition, and delete that particular partition so that it becomes Volume Slack

(Casey, 2004)xxviii. Since this space is no longer partitioned, the Operating System

(OS) will not be able to access this area via a mapped drive letter in Windows

Explorer.

The next stage once the partitions have been created, the drive needs to be formatted

with an appropriate file system. Depending on the chosen type of file system, data

can only be accessed as block-sized chunks rather than whole sectors. Whilst this

improves the efficiency in accessing and storing data (read/write latency etc) within

the file system, it may lead to wastage of sectors at the end of the partition if the total

number of sectors is not an integer multiple of the block size. Of course, these wasted

Research Examples on Computer Forensics (2009) Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK) email: [email protected] • blog: bsodmike.com • résumé: mwdesilva.com sectors are once again an ideal location for writing sensitive data to as it is not

typically accessible by the OS and is dubbed ‘partition slack’ (Casey, 2004)xxviii.

All partitions, even those that have been configured as non-bootable, contain a boot

sector. Therefore, the boot sector of a non-bootable partition is simply wasted space

that is ideally suited for storing confidential information. Similarly, unallocated space

within a partition is inaccessible by Windows until a particular file’s creation has been

allocated to that space. Therefore, this unallocated ‘free’ space could contain

sensitive information, however, it is quite a gamble as any modifications made within

Windows could lead to over-writing of this space, and thereby potentially losing the

data (although it could be retrieved if the drive platters are read by hand).

Looking back at the file system, it is also possible to ‘abuse’ the functionality of a

particular safety feature in both FAT16/32 and NTFS to hide information within

blocks marked as bad blocks. The purpose of marking bad blocks is to prevent data

loss, and manipulating such metadata is once again ideal for the purpose of storing

sensitive information (Britz, 2008)iii. The detailed storage locations for hiding data

above apply to both FAT16/32 and NTFS. However, the NTFS file system allows for

some unique locations for storing such sensitive information.

Similar to the bad cluster metadata modification previously discussed, a particular

metadata belonging to the NTFS file system is its Cluster Allocation Bitmap. The

Cluster Allocation Bitmap is quite simply a complete map that marks the allocation

status of each and every addressable cluster within the particular partition in question.

Similar to the bad cluster method, it would only require for the contents of the Cluster

Allocation Bitmap to be modified, although the fact that a malicious modification has

taken place would be made obvious if it were inspected. The advantage of using this

method, however, is that the hidden information would persist in its hidden state for

the lifespan of the file system (Farmer and Venema, 2005)xxxiv.

The NTFS file system in particular also provides for a couple more alternatives. One

possibility would be to alter the Alternate Date Streams (ADS), which are associated

with the Master File Allocation Table (MFT). Modification of reported such files

streams would be suited for hiding sensitive data, as they are not within the scope of

Research Examples on Computer Forensics (2009) Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK) email: [email protected] • blog: bsodmike.com • résumé: mwdesilva.com Windows Explorer. NTFS has another inherent ‘quirk’ with regards to handling

extremely small files and ADS. In the event a particular file is sufficient small

enough to occupy the space within the MFT, rather than referencing its location, the

entire file itself would be stored within the MFT (Jones, Bejtlich and Rose, 2005)x.

This allows for a computer program to create multiple such files to create enough

‘free space’ within the MFT, delete them and proceed creating a potentially large

enough file within the MFT to store hidden information of choice. Of course, this

hidden information would only persist until further small files start to overwrite this

particular location in the MFT, and as such would be best suited for ephemeral data.

The above discussion shows that most of the ‘hiding’ places within a typical

Windows-based file system are more suited for ephemeral data, whilst the more long

term hiding places are easier to detect. However, any information found in the

previously discussed locations where data could be concealed, it has being taken for

granted that the data would be stored in plain text without first undergoing some form

of encryption such as 3DES, Blowfish, or even Advanced Encryption Standard (AES)

(Burnett, 2001)iv.

3 COMMUNICATION TECHNOLOGIES THAT THWART FORENSIC

EFFORTS

Accessing the Internet is simpler than ever with free WiFi in many coffee shops and

even unsecured networks in many densely populated cities. A couple years ago,

accessing e-mail relied on client programs running on the users computer via

POP/SMTP sessions – leading to all the emails being stored locally on the computers

file system. This is no longer the case. With many free email services available

online, there are far more users relying in storing most of their information online as a

result of cloud computing (Miller, 2008)xii.

In the following discussion of the various means by which an individual could

communicate with his or her co-conspirators regarding their illegal activities, an

assumption is made where this individual has at least a basic working knowledge of

covering their tracks after any of the web browsers installed on their system. This

Research Examples on Computer Forensics (2009) Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK) email: [email protected] • blog: bsodmike.com • résumé: mwdesilva.com includes, but is not limited to, clearing all details of browsing history, download

history, saved Form and Search history, cache, cookies, offline website data, saved

passwords and authenticated SSL sessions.

Currently, even Google offer an online system called ‘Google Docs’ which is a free

web-based word processor and spreadsheet application enabling easy collaboration.

Making matters even more complicated, for example, the free email service by

Google (GMail) has an option to always force the browser to connect via a Secure

Sockets Layer (SSL) encrypted session. This is also supported by other free email

systems such as Hotmail and Yahoo. RC4 is the stream cipher used in SSL, as a 128

or 256-bit cipher that offers remarkable performance although it does have several

weaknesses. However, from an evidence-gathering standpoint, these weaknesses

would only be of use if exploiting a particular SSL session between known Internet

Protocol (IP) addresses (Viega, Messier and Chandra, 2002)xix, and therefore would

not leave any traces on the laptop as long as the user has been careful.

With the popularity of cloud computing, from a forensics perspective, the browser

software installed on a Windows system (Microsoft Internet Explorer, Mozilla

Firefox, etc.) would need to undergo close scrutiny for evidence in the form of its

cache, history, cookies and most recently downloaded files. Although it may be

possible to obtain some information via this method, it is not the only means for

communication across the Internet and World Wide Web (WWW).

Since it is common knowledge that many intelligence gathering agencies, such as

MI6, Interpol, FBI, and the CIA, around the world are screening email traffic for “tell

tale” signs of communication of a less than legal nature, a scrupulous individual could

take advantage of the free online email systems in the following manner: login to the

email system and create a draft email with whatever information that needs passing.

Their co-conspirators also access this same email account, accessing the draft, as only

these two parties have the respective username and password for the email account.

As such, no actually emails are ever sent and all the information is stored in the ‘draft’

folder.

Research Examples on Computer Forensics (2009) Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK) email: [email protected] • blog: bsodmike.com • résumé: mwdesilva.com This could also be applied to other online services such a Scribd, which offers an easy

means for collaborating documentation as PDF and Word content. It even supports a

means for storing ‘private’ files online, and only those given a particular Uniform

Resource Locator (URL) may be able to access the private document in question.

However, it is quite possible that the Scribd system has text scanning systems in place

to ensure such information does not stay active on their system for long, but it will

only ‘flag’ information that is posted as being blatantly obvious – it is unlikely any

intelligence agencies would be notified by the posting of a recipe for a thin crust

pizza.

With the exercise of caution and a certain degree of common sense, this system could

easily be used for passing sensitive information between parties. Further more, the

Scribd URL to private documents could easily be communicated to co-conspirators

via the Short Message Service (SMS), which is a standardized communication service

in the GSM cellular communication system, and as such would leave no traces that

such a document was ever passed to someone else – unless the browser’s logging

features suggest otherwise.

For the most tech savvy criminals, a secure Virtual Private Network (VPN) that

utilises cryptographic tunnelling is another extremely feasible means of

communication. VPN is an extremely powerful system and is therefore a standard

feature of most corporate networks, allowing their employees to work from home and

while on the move (Steinberg et al., 2005)xviii without compromising the security of

their network and data. During a VPN session, the connecting user will be effectively

logging onto this remote network of computers, thereby gaining complete access to all

shared volumes, attached computer peripherals and computer terminals themselves

(depending on their firewall configuration and network topology). “Local” video

conferencing would be extremely simple to achieve, as well as transferring files and

other data whilst connected to the remote network via VPN (Snader, 2005)xvii. It

would be the duty of the forensic investigator to check if the IP address of the VPN

network (or networks) they have connected to has been recorded in some way, or if

any logs of such sessions are recorded locally on the HDD of the laptop.

Research Examples on Computer Forensics (2009) Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK) email: [email protected] • blog: bsodmike.com • résumé: mwdesilva.com Although less complicated in setting up and connecting, a Secure Shell (SSH)

connection to a remote server allows for an encrypted session for the duration of the

link. Once again, the two parties are able to exchange files (via File Transfer Protocol

or FTP), utilise instant messaging and a host of other capabilities. However, the SSH

system is susceptible to ‘man in the middle’ attacks. Not unlike VPN though, this is

another secure means of cryptographic tunnelling via the Internet (Barrett, Silverman

and Byrnes, 2005)ii.

FTP is a simple system devised on Linux and Unix based system for the transferring

of files between a client and a FTP server, and vice versa. A typical FTP session runs

completely unsecured in the open, even with the username and password transmitted

as plain text and can easily be captured with a packet sniffer listening on port 21

(Kozierok, 2005)xi. To ensure that such a connection is made with a means of

encryption, a viable alternative would be the SSH File Transfer Protocol (SFTP) or

FTP over SSL (FTPS).

Although the FTP/SFTP system was not designed as a means for passing information,

one could easily take advantage of it in this fashion. Suppose the co-conspirators

have setup a FTP server (or daemon as they are commonly called, and thus FTPd) and

they place their ‘secret’ information in the FTPd welcome message that is customised

to only appear to a particular user who logs in. Such messages could be setup for

each of the various accounts for their co-conspirators, who only simply need to login

over SFTP to received the information, and they can easily leave there response by

transferring their comments and response as a file to their folder on the FTPd. Paired

with SMS messaging, it would be extremely simple for the members of their

organisation to handle communications in this fashion.

It is, however, possible to find out if SSH sessions have been in use on the laptop.

Since SSH is native to Linux and Unix based systems, a typical Windows program to

offer similar simulation would be Cygwin, or alternatively to actually run a flavour of

Linux (such as Ubuntu or Debian) via a Windows application known as VMWare

(Newham, 2005)xiv.

Research Examples on Computer Forensics (2009) Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK) email: [email protected] • blog: bsodmike.com • résumé: mwdesilva.com To use public-key secure connections, public keys are stored in

~/.ssh/known_hosts and such a typical file might contain something similar to

what is shown below,

128.138.249.8 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA0d7Aoure0toNJ+YMYi61QP2ka8m5x5ZQlT7obP8CK3eropfqsMPPY6uiyIh9vpiFX2r1LHcbx139+vG6HOtVvuS8+IfMDtawm3WQvRuOopz3vVy5GtMwtaOgehsXoT930Ryev1bH5myPtWKlipITsOd2sX9k3tvjrmme4KCGGss=

As seen from the example above, the destination IP address is stored along with the

RSA public-key hash.

This research would not be complete without discussing freely available Instant

Messaging (IM) systems such as Windows Live Messenger (formerly named MSN

Messenger), Yahoo Messenger, ICQ and AOL Instant Messenger (AIM). These

systems allow users to freely ‘chat’ in purely text mode by running the same client

application on each of their PCs. However, their communications are routed through

the servers belonging to the companies that developed the client applications and as

such encryption is not a main feature of this applications (Wikipedia, 2009)xxi.

Alternative software such as BitWise IM is available freely and also supports real-

time 128-bit Blowfish encryption, whilst the paid professional version supports 448-

bit Blowfish encryption. This particular application also generates a new random key

for each and every new conversation. In terms of evidence gathering, a regular

feature of these programs is their ability to log conversations to the HDD as plain text

files that are usually time stamped. Since this is a user-enabled option these log files

may or may not exist on the system.

Reflecting back upon the discussion regarding GMail, the free web-based email

system provided by Google, it also features an IM system called GMail Chat. In the

event the connection to GMail is made over the Hypertext Transport Protocol

(HTTP), all the contents of these conversations can easily be compromised by anyone

looking to do so over the Internet. However, if the web browser connects to the

GMail system with SSL enabled, the contents of these conversations will be far more

difficult to tap into.

Research Examples on Computer Forensics (2009) Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK) email: [email protected] • blog: bsodmike.com • résumé: mwdesilva.com With regards to making voice and video calls over the Internet, Skype offers free

voice calling between Personal Computers (PC) utilising the Internet (Abdulezer et

al., 2007)i. Their system utilises Advances Encryption Standard (AES), also known

as Rjindael (Daemen and Rijmen, 2002)xxii as it is a portmanteau of the names of the

two inventors of the Rijndael cipher – Joan Daemen and Vicent Rijmen, with a 256-

bit encryption key to actively encrypt the data of voice calls, voice and video calls

(known as video conferencing), and instant messages (Skype, 2009)xvi. It is clear that

making free calls over the Internet, which are encrypted, is an extremely attractive

alternative for communicating with co-conspirators. With much exercised prudence

and care, even if each call is logged and analysed by the Skype system, it is highly

unlikely that it would get flagged unless both parties are extremely incompetent and

careless. The Instant Messaging aspect of Skype allows for these conversations to be

recorded to the HDD, and is most likely the only evidence it would leave behind apart

from the various Skype contacts if the user of the program allowed Skype to

remember his password.

Of course, Skype also allows those with Skype Credit to make PC to landline calls,

where part of the call is carried over the Internet and the rest over fibre optic, Voice

over Internet Protocol (VoIP), Cellular (GSM/3G) and Public Switched Telephone

Networks (PSTN) (Wallingford, 2005)xx. This of course, poses a couple risks to the

parties using this system for communication: (1) the caller has to have Skype Credit

in their account, and this needs to be purchased via a Credit Card or PayPal account

and (2) the final number being called gets recorded on the passing and target network.

As for the former, a stolen Credit Card could be used or a hacked PayPal account, but

this would result in their current IP address being noted down. This alone may not

help as they could be connecting through many piggybacked proxy servers to mask

their real IP or they could even be connecting via an unsecured WiFi connection in a

metropolitan area (although, this would place them within a 32 m radius to a

maximum radius of 95 m from the location of the wireless base station. This would

result in their possible location covering a 3.2 to 28 square-km area, respectively).

A similar system is also offered by Google Talk (GTalk), which runs natively as a

Windows web-based application and offers Instant Messaging and VoIP

Research Examples on Computer Forensics (2009) Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK) email: [email protected] • blog: bsodmike.com • résumé: mwdesilva.com communications between PCs. Unlike Skype, the GTalk system does not impose

complete encryption at this point in time.

Another popular means of online communication is Internet Relay Chat (IRC), that

allows for real-time text based chat by joining a particular IRC server utilising a

freely available IRC client (Charalabidis, 1999)vii. One of the most popular IRC

clients for Windows is mIRC, and similar to most other communication applications it

allows for previous conversations or sessions to be logged to the HDD.

Unlike IM conversations, with IRC, the user must join an IRC server of his choice

and there are many such servers based on the country they are based in. Upon joining

an IRC server, the user can either join pre-existing IRC channels or join and create his

own. At this point, any co-conspirators may join the same channel and enter a private

conversation.

Files can be exchanged via Direct Client-to-Client (DCC) connection or a Secure

DCC (SDCC), which can also allow individuals to privately chat over IRC with

encryption enabled. It should be noted that both DCC and SDCC, are peer-to-peer

(P2P) connections that are independent of the IRC client-server connection, that rely

directly upon the Wide Area Network (WAN) IP addresses belonging to the PCs of

both users. SSL may be used on the client-server connection, depending on the

particular features of that server, to make eavesdropping on a particular users IRC

session difficult.

Internet Forums or messaging boards are extremely popular web applications that

allow for users to collaborate online in a system akin to traditional Bulletin Board

Systems (BBS), in the days of dialup Internet well before broadband was introduced.

Most forums are dedicated to a central theme – some are dedicated to Computer

Technology and Hardware discussions, such as HEXUS.net, and some are even

dedicated to specific hobbies, interests and discussions.

Most online forums simply require a user to define a ‘nickname’ to be recognised by

and to supply a valid email address to register on the system. Once this is setup, they

are free to access various features of the forum as well as a Private Messaging (PM)

Research Examples on Computer Forensics (2009) Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK) email: [email protected] • blog: bsodmike.com • résumé: mwdesilva.com system. There are almost no measures to prevent scrupulous individuals from

communicating via forums utilising their PM system as a means for conversation,

while only some forums tend to monitor PMs sent and received. Once again, as long

as common sense and a degree of caution is exercised, an online forum could be

ideally used between co-conspirators although they would be limited by not being

able to exchange files by this method. As such, a system such as Scribd could be use

in conjunction to overcome this limitation.

In the event they decided to communicate by means of digital photos, many free

online systems are also available for this purpose, with Flickr and Photobucket being

the most popular. Although they present a limitation on the number of photos

uploaded, a fair amount of photos can still be stored online with full access to anyone

accessing the site with a web browser or mobile device with such capabilities, such as

the Apple iPhone.

This notion could also be extended to the extremely popular networking and

socialising web-applications such as FaceBook and MySpace. These systems allow

for users to post online profiles about themselves, host freely photographs and even

video clips in their accounts as well as privately communicate utilising across the sites

system (Shuen, 2008)xv. In all likelihood these systems monitor all private

communications, but as mentioned earlier, they will never cause for panic, unless

someone were to blatantly pass across the list of chemicals and instructions required

to manufacture military-grade explosives. Used sensibly, it could be ideally used for

the co-conspirators to easily communicate with each other privately, and even ensure

that no record of these communications are held locally on the HDDs of their

computers.

4 CONCLUSION

With regards to concealing information in the laptop’s file system, it is apparent that

most of the options result in storing ephemeral data while the more reliable methods

are more straightforward. However, even if this data is located, it is far more likely

that it would be encrypted in one of the more reliable encryption algorithms.

Research Examples on Computer Forensics (2009) Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK) email: [email protected] • blog: bsodmike.com • résumé: mwdesilva.com In terms of communication technology that may pose problems to the team of forensic

investigators, many avenues exist for utilising freely available online systems for

making contact and passing information across, with very little scope for leaving

evidence behind.

It is a given though, that a careless criminal could easily leave behind enough

evidence that is easily accessible. At the end of the day, if dissecting the file system

down to it minimum does not prove to be useful, the only alternative would be to have

the hard disk platters manually read allowing possible access to data that was not

sufficiently deleted or undergone any secure erasing (known as zeroing).


REFERENCES i Abdulezer, L. et al. (2007) Skype For Dummies, Hoboken, NJ: Wiley Publishing,

Inc.

ii Barrett, D. J., Silverman, R. E. and Byrnes, R.G. (2005) SSH, The Secure Shell: The Definitive Guide, 2nd edition, Sebastopol, CA: O'Reilly Media, Inc.

iii Britz, M.T. (2008) Computer Forensics and Cyber Crime: An Introduction, 2nd edition, Upper Saddle River, NJ: Prentice Hall.

iv Burnett, S. (2001) RSA Security's Official Guide to Cryptography, New York,

NY: McGraw-Hill.

v Carrier, B. (2005) File System Forensic Analysis, Reading, Massachusetts: Addison-Wesley.

vi Casey, E. (2004) Digital Evidence and Computer Crime, 2nd edition, London, UK:

Academic Press. vii Charalabidis, A. (1999) The Book of IRC: The Ultimate Guide to Internet Relay

Chat, San Francisco, CA: No Starch Press. viii Daemen, J. and Rijmen, V. (2002) The Design of Rijndael: AES - The Advanced

Encryption Standard, New York, NY: Springer Publishing Company.

ix Farmer, D. and Venema, W. (2005) Forensic Discovery, Reading, Massachusetts: Addison-Wesley.

x Jones, K. J., Bejtlich, R. and Rose, C.W. (2005) Real Digital Forensics: Computer

Security and Incident Response, Reading, Massachusetts: Addison-Wesley.

xi Kozierok, C. (2005) The TCP/IP Guide: A Comprehensive, Illustrated Internet Protocols Reference, San Francisco, CA: No Starch Press.

xii Miller, M. (2008) Cloud Computing: Web-Based Applications That Change the

Way You Work and Collaborate Online, Canada: Que Publishing. xiii Mirza, F. (2008) ‘Looking for digital evidence in Windows’, International

Symposium on Biometrics and Security Technologies 2008, April, pp. 23-24. xiv Newham, C. (2005) Learning the bash Shell: Unix Shell Programming, 3rd

edition, Sebastopol, CA: O'Reilly Media, Inc. xv Shuen, A. (2008) Web 2.0: A Strategy Guide: Business thinking and strategies

behind successful Web 2.0 implementations, Sebastopol, CA: O'Reilly Media, Inc. xvi Skype (2009) What type of encryption is used?,

http://support.skype.com/en_GB/faq/FA145/What-type-of-encryption-is-used, Date accessed 28 March 2009.


xvii Snader, J.C. (2005) VPNs Illustrated: Tunnels, VPNs, and IPsec, Reading, Massachusetts: Addison-Wesley.

xviii Steinberg, J. et al. (2005) SSL VPN: Understanding, evaluating and planning

secure, web-based remote access: A comprehensive overview of SSL VPN technologies and design strategies, Birmingham, UK: Packt Publishing Ltd.

xix Viega, J., Messier, M. and Chandra, P. (2002) Network Security with OpenSSL,

Sebastopol, CA: O'Reilly Media, Inc. xx Wallingford, T. (2005) Switching to VoIP, Sebastopol, CA: O'Reilly Media, Inc. xxi Wikipedia (2009) Instant messaging,

http://en.wikipedia.org/wiki/Instant_messaging, Date accessed 28 March 2009.


POSSIBLE DEFENCES FACED IN COMPUTER FORENSICS

ABSTRACT: The aim of this research was to study the possible defences faced by a prosecuting investigator, with regards to Computer Forensics. The focus was on techniques used in concealing data in modern mass storage media, popular file systems, and the consequences of data encryption (to current standards) on successful retrieval of forensic evidence.


TABLE OF CONTENTS

1 INTRODUCTION .............................................................................................. 17

2 CONCEALMENTOFDIGITALDATA................................................................... 17

2.1 FormidableCryptographyofthe21stCentury.........................................................................19

2.2 ComputerHardDiskDrivesandFileSystems .........................................................................20

3 CONCLUSION .................................................................................................. 26


5 INTRODUCTION

The aim of this research was to detail some of the possible defences that may be faced

by a prosecuting investigator. Since these defences vary directly with the nature of

the particular case at hand, this research attempts to address the most relevant

domains of Computer Forensics with regards to the concealment of digital data in

media and its file system structure. Other hiding methods are out of the scope of this

research, which include (but are not limited to) – Swap files, binding executable files

together, compressed files, renamed files, BIOS parameter alteration, and

steganography.

6 CONCEALMENT OF DIGITAL DATA

The two types of data collected in Computer Forensics are persistent data and volatile

data. The former is information that is preserved in the storage media of choice when

the power to the computer, or device, is removed and is even applicable to many

mobile devices in production today. Volatile data is data stored in memory – cache

and Random Access Memory (RAM) of a computer, including mobile devices, and is

inherently ephemeral in nature as it is lost within a matter of seconds to a couple

minutes at most once the power is removed and supporting capacitive-circuits

discharge.

In current times, the concealment of digital data is usually attributed to

steganography, watermarking, and cryptography (Cole, 2003). The word

steganography means concealed writing and as such is concerned with concealing the

communication of its contents. Watermarking is more concerned with the addition of

sufficient information to establish its source or provenance. Similarly,

cryptographer’s interest lies in obscuring the message’s contents.

It can be seen that both steganography and cryptography are both means by which the

information of interest is concealed or obscured, and even sometimes embedded in

other information such as pictures. Whereas, the object of interest is protected by the

obscured or embedded watermark created by digital watermarking, not unlike a

Research Examples on Computer Forensics (2009) Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK) email: [email protected] • blog: bsodmike.com • résumé: mwdesilva.com fingerprint. In terms of application, steganography and watermarking may be

combined with cryptography, although as an added measure rather than a

requirement. Further more, imperceptible watermarking would be inherently related

with steganography, in terms of functionality.

The inclusion of Metadata can be considered as a loose application of perceptible

watermarking. Since it is perceptible, it inherently does not comply with the

philosophy of watermarking, however, as implied by the name it means “data about

other data” – and therefore, tends to be descriptive of other data and depending on its

context can hold information such as author, date last accessed, and copyright.

Metadata was found embedded in a deleted Microsoft Word document on a 3.5”

floppy disk, sent by the BTK killer on 16th February 2005 in Wichita, Kansas, USA.

The recovered metadata revealed the document had been last modified by “Dennis”

and contained “Christ Lutheran Church” (Smith, 2006). A search of the church

website detailed a Dennis Lynn Rader as a member of their congregation thereby

providing the police with their first suspect in the case and strong circumstantial

evidence. He was arrested ten days later and formally charged with the murders on

the 28th of February 2005 (Douglas and Dodd, 2008).

In considering the process of concealing data digitally, there is also a physical aspect

to be considered – such as modern digital storage media, utilised to conceal digital

information. Since most modern digital storage are not bit-addressable at the

Operating System (OS) level, and addressability is at a far more abstract level, creates

the possibility for data to be stored in inaccessible, or sometimes unnoticeable, areas

of these digital storage media.

Those looking to conceal data that could be potentially incriminating or utilise a

computer for illegal activities tend to be aware that methods exist for deleted data to

be retrieved. Therefore, they tend to resort to using freely available and commercial

‘disk wiper’ utilities in an attempt to be rid of any loose ends. Berghel and Hoelzer

(2006) illustrate in their paper titled “What Does a Disk Wiper Wipe when A Disk

Wiper Wipes Disks”, that these utilities are quite ineffective in eliminating all hidden

data.

Research Examples on Computer Forensics (2009) Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK) email: [email protected] • blog: bsodmike.com • résumé: mwdesilva.com 6.1 FORMIDABLE CRYPTOGRAPHY OF THE 21ST CENTURY

The most widely utilised and trusted implementation of symmetric key cryptography1

is the Advanced Encryption Standard (AES) algorithm, originally published as

Rjindael (Daemen and Rijmen, 2002). In June 2003, the National Security Agency

(NSA) of the US Government approved AES for its utilisation in protecting classified

information (CNSS, 2003).

Related-key attacks on AES-256 typically require 2128 different combinations.

Biryukov and Khovratovich (2009) have shown two devised related-key attacks with

a better complexity (2119 data and time), which essentially reduces the strength of

AES-256 to virtually that of a 119-bit AES encryption. Although this is quite a

significant attack, it is still far from a viable solution; hypothetically, if each operation

took 1 picosecond (

€

1×10−9 s) to complete – 2119 it would require ~

€

2.11×1013

millennia or 21,000,000 billion years to complete! The authors believe their attack

could be further improved to a complexity of 2110.5. Based on the previous

hypotheses, 2110.5 operations would require a vastly reduced ~

€

5.82×1010 millennia or

58,000 billion years.

Considering Landauer’s Principle that states, “…each bit of lost information will

release an amount of

€

kT ln(2) of heat”, where

€

k is Boltzmann’s constant and

€

T is

the Cosmic Microwave Background (CMB) radiation (2.725 K, today). Evaluating

€

E = 2110.5kT ln(2) yields

€

6.9 ×1010 Joules of energy, which is an order of ten less than

the energy released in explosions of GBU-43/B Massive Ordnance Air Blast (MOAB)

bombs or the M-388 Davy Crockett nuclear projectile used during the Cold War.

This is to simply illustrate the electrical power requirements for computers used in

successfully cracking AES-256 utilising the related-key attacks devised by Biryukov

and Khovratovich (2009). From a theoretical and mathematical standpoint, it seems

that AES-128 is more secure than AES-256; however, in practical terms, AES-256 is

still considered more secure and made evident by the NSA as they continue to

implement AES-192 and AES-256 for information designated as TOP SECRET.

1 Symmetric-key Cryptography algorithms utilise similar, often identical, cryptographic keys for both encryption and decryption.

Research Examples on Computer Forensics (2009) Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK) email: [email protected] • blog: bsodmike.com • résumé: mwdesilva.com Halderman et al. (2008) have shown, on some computer systems, volatile data held in

RAM can persist for approximately a minute after sleeping, hibernating or even

shutting the system down. They extended this to > 8 minutes by physically accessing

the memory modules and cooling them down to –50 ºC. The memory modules could

even be removed in this cold state and transferred to another computer to undergo

“cold boot attacks”. The paper details their obtaining of a 1 GB memory dump within

four minutes.

The coupling of cold reboots to mount attacks against popular disk encryption

systems (including algorithms of AES-128, AES-192, and AES-256) – BitLocker in

Microsoft Windows Vista, Apple’s FileVault disk encryption, open-source

implementations such as TrueCrypt (for Windows, Mac OS X, and Linux) and dm-

crypt found in Linux kernels since v2.6 – is simply reduced to the task of obtaining

the encryption-key from RAM within minutes to unscramble encrypted information.

When a forensics investigator is presented with a running system, time is of the

essence with regards to gathering as much data from its volatile sources of evidence –

running processes, ARP (Address Resolution Protocol) cache, list of open files,

virtual and physical memory, and active network connections (Bidgoli, 2006).

Considering the implications of the work by Halderman et al. (2008), a further step

could be implemented to obtain a qualified forensic duplicate of data held in RAM,

onto another data storage medium, via cold boot attacks. This will improve the

possibility of circumventing any potential active disk encryption in place on the

system (such as BitLocker, FileVault, TrueCrypt, and dm_crypt).

6.2 COMPUTER HARD DISK DRIVES AND FILE SYSTEMS

Modern storage media comes in various forms such as Hard Disk Drives (HDDs) to

Compact Flash (CF), Secure Digital (SD), Secure Digital High Capacity (SDHC)

cards and USB Flash Drives. During typical use, they would be partitioned and

formatted to a popular file system, however, this many not always be the case

especially with mass storage media encountered in the field.

Research Examples on Computer Forensics (2009) Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK) email: [email protected] • blog: bsodmike.com • résumé: mwdesilva.com Assumptions should not be made regarding recovered desktop PCs, laptop computers,

HDDs, external portable HDDs, Flash storage and other mass storage devices. HDDs

typically come in various physical sizes – 3.5”, 2.5”, 1.8”, 1.3”, 1”, and 0.85”

thickness – with connectivity ranging from IDE (Integrated Drive Electronics) to

SCSI (Small Computer System Interface) and Serial-ATA (SATA). HDDs could be

utilised as means for storing and communicating incriminating evidence and would

not be utilised in a regular manner and as such precautions need to be taken when

forensically investigating data held on a HDD.

With regards to HDDs, methods for hiding data take advantage of their architecture

and geometry. Hiding mechanisms that rely in abusing inherent traits of partitioning

schema and file systems not only affects HDDs but also Flash storage. Due to the

computer skill required to take advantage of these data caches, it is extremely likely

any data recovered would first be subjected to a form of encryption, as detailed in

Section (6.1), further thwarting forensic efforts in evidence retrieval. This research

considers the two main file systems utilised by computers operating Microsoft

Windows as well as those operating Linux, a freely distributed OS that is well suited

for manipulating and accessing these hidden and restricted areas in the file systems.

The most common file systems in the Windows environment are the File Allocation

Table (FAT) and New Technology File System (NTFS). The FAT file system is

implemented today as a 16-bit version, FAT16, and a more common 32-bit version,

FAT32. FAT16 allows a maximum file system volume of 2 GB, whereas FAT32 can

support single partitions up to 2 TB in size (Mirza, 2008). The various flavours of

Linux OSes have no problem in accessing and working with the FAT16 and FAT32

file systems, although most installations are formatted by default as Ext3 (or, the

legacy Ext2) since it is a journaled file system (Carrier, 2005).

A special feature, found only on certain makes of HDDs, the Host Protected Area

(HPA) is designated as a reserved area on HDDs designed to store information that

cannot easily be subjected to alteration by users, OS, or the BIOS (Basic Input/Output

System). The purpose of the HPA is to allow computer manufacturers and vendors to

store information and utilities, such as diagnostic tools and HDD utilities, whilst

ensuring bit-level modification of data held in the HPA is typically made impossible

Research Examples on Computer Forensics (2009) Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK) email: [email protected] • blog: bsodmike.com • résumé: mwdesilva.com to installed operating systems (Gupta, Hoeschele and Rogers, 2006). In addition to

this, an additional hidden area on modern HDDs is the Device Configuration Overlay

(DCO), which allows vendors to configure HDDs of potentially various sizes to

conform to having the same number of sectors (Mirza, 2008), i.e. the DCO would be

used to make a 160 GB HDD appear as a 120 GB HDD to both the system BIOS and

any installed operating systems.

The availability of the HPA and DCO is only available on certain makes and models

of HDDs and therefore their implementation is inherently a proprietary process by the

respective HDD manufacturer. Forensic investigators therefore need to rely on the

claims of HDD manufactures with regards to the capability of their tools, when

creating forensic images in the field. These tools may or may not be able to properly

detect and image the HPA, however, these vendors remain silent with regards to the

imaging of the DCO. Gupta, Hoeschele and Rogers (2006) have recommended future

research into the implications of creating or removing the HPA and DCO on the data

integrity of a HDD. Since the HPA and DCO are independent of any partitioning

schema or file systems, they are impervious to any such modifications made.

Other means for hiding digital data look at taking advantage of features of respective

file systems. Once again, in consideration of file systems on HDDs, the common

methodologies for hiding information are – ‘free space’ within the Master Boot

Record (MBR), volume slack, partition slack, boot sector of a non-bootable partition,

unallocated space in a partition, bad-blocks, NTFS Cluster Allocation Bitmap, NTFS

Alternate Data Streams (ADS), and the Master File Allocation Table (MFT) and

extremely small files.

Before the installation of an operating system, a HDD needs to be partitioned. Once

partitioned, it is then formatted to a suitable file system that is useable by the

operating system to be installed. The first sector of a partitioned volume of a HDD, is

called the Master Boot Record (MBR). The MBR only requires a single drive sector

and since partitions must start on the boundary of a cylinder, this results in the MBR

containing sixty-two empty sectors (Casey, 2004) – this free space can be utilised to

conceal information and is impervious to re-partitioning of the HDD and re-

formatting of the exiting partition.


If a partition is created and sensitive information is written to it with the intention of

subsequently deleting the partition in question, it turns into what is known as volume

slack (Carrier, 2005). This is essentially space on a HDD that has yet to be

partitioned, and until this space is partitioned the data written to it will remain in the

volume slack – yet remain inaccessible by installed operating systems. In the event

the HDD is re-partitioned and the newly created partition and file system extend into

this area – it would render the hidden data useless.

Once a HDD has been partitioned and formatted with a suitable file system,

depending on the chosen file system, data will be read and written as block-sized

chunks instead of entire sectors. This tends to lead to a wastage of sectors at the end

of partitions in the event the total number of sectors are not an integer multiple of the

block-size – this free space is known as partition slack (Casey, 2004), and is once

again a possible storage location for sensitive information. Any information stored in

the partition slack would remain persistent during a re-formatting of the existing

partition. However, in the event the HDD is re-partitioned and the newly created

partition and file system extend into this area – this would render the hidden data

useless.

Partitions that have not been initialised as a non-bootable partition, still contain a boot

sector. Therefore, this boot sector can be used to store information and would remain

persistent, even if the partition is re-partitioned (which requires a re-format) or re-

formatted. However, moving the partition or initialising it as a bootable partition, via

the Drive Manager in Windows, Disk Utility in Mac OS, or fdisk in Linux (Nelson,

Phillips, Enfinger and Steuart, 2007) – would render the hidden data useless.

Unallocated space in a partition can be utilised to hide data – although it would be

ephemeral at best during normal use of a HDD. Any hidden data in the unallocated

partition space would remain persistent if the data held on the HDD was not altered,

unless intentionally. Any lapses on the part of the forensic investigator could result in

the loss of any data held in this space, unless careful measures are taken (Bidgoli,

2006).


A safety feature present in both FAT16/32 and Windows NTFS is one that marks

blocks as ‘bad-blocks’ so as to prevent data loss. The file system metadata that

identifies bad-blocks could be altered (Carvey, 2004) so as to mark accessible blocks

as bad-blocks. Once marked as bad-blocks, these ‘fake’ bad-blocks will no longer be

accessible by Microsoft Windows and as such any data held by them will remain

persistent on the disk, until it is re-partitioned (which requires a re-format of the

newly created partition) or the existing partition is re-formatted.

A special case of metadata belonging to the NTFS file system is its Cluster Allocation

Bitmap, which is a complete map of every addressable cluster within a particular

partition. Alteration of the Cluster Allocation Bitmap will allow for data to be hidden

in a method similar to that of the ‘fake bad-block’ method (Farmer and Venema,

2005). Data hidden by this method would persist for the lifespan of the file system as

long as it is not subjected to re-partitioning or re-formatting.

NTFS offers a couple more special cases inherent to its design. One such case is

where Alternate Data Streams (ADS), that are related to the Master File Allocation

Table (MFT). The alteration of reported file streams would allow for sensitive data to

be hidden – kept obscured from the purview of Windows Explorer and even

command line access via the console.

Further to this, NTFS has an inherent quirk with regards to handling rather small files

and ADS. If the file was sufficiently small, rather than referencing its location via the

MFT, it could be completely stored within it. This would allow for a conceived

program to create multiple tiny files, so as to create enough references within the

MFT to them – upon deleting all the created dummy files, it would free up the

required space within the MFT for concealing a large enough file (Berghel and

Brajkovska, 2004). This approach though is ephemeral in nature, as the freed up

space utilised within the MFT will soon start to be populated with smaller references

during typical use of the HDD.

Research Examples on Computer Forensics (2009) Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK) email: [email protected] • blog: bsodmike.com • résumé: mwdesilva.com All the details above apply to almost every file system implemented today including

FAT16, FAT32, NTFS and Ext-based Linux file systems. The Linux ExtX file

systems offer some unique data hiding places, are these are detailed below.

The legacy Ext2 and current Ext3 (henceforth, “ExtX”) file systems are divided into

separate sections known as block groups, which are used to store metadata, file

names, and content. A superblock at the beginning of the file system contains

information regarding the block group size and configuration – and copies of these are

located throughout the partition. The block following the superblock, if present, or

the first block of every group, if not present, contains what is known as a group

descriptor table detailing the layout of each block group (Casey, 2002).

ExtX superblocks have 1,024 bytes allocated to them, although the last 788 bytes are

unused. Depending on the block size, it is possible for some reserved area to be

located behind the superblock as well – this is known as superblock slack and is a

digital hiding place for data unique to Linux file systems (Farmer and Venema, 2005).

Data stored in the superblock slack is persistent as long as the partition is not moved

when re-partitioned, and is immune to re-formatting of the existing partition.

Since the ExtX group descriptor is only 32 bytes in size, a reserved area behind it

exists, and the block bitmap that follows it starts on a block boundary. Therefore, a

minimum of 992 bytes of space exists to conceal data and more available if the block-

size is great than 1,024 bytes (Carrier, 2005). This is known as ExtX group descriptor

slack and data stored here is persistent as long as the partition is not moved when re-

partitioned, and is immune to re-formatting of the existing partition.

ExtX directories behave like any other file in these Linux file systems, and therefore,

are allocated in blocks such that the resulting space between the last directory entry

and the end of the block can be used to hide data (Casey, 2004). During typical drive

use this space can be encroached upon rendering data stored in this area useless.

A comparative overview of the relative volatility of data concealment areas on HDDs

and the various file systems that have been discussed are tabulated on the following

page as Table 1.


DATA CONCEALMENT AREA NORMAL DRIVE USE

RE-PARTITION (W/ RE-FORMAT)

RE-FORMAT PARTITION

HPA and DCO Persistent Persistent Persistent

MBR Persistent Persistent Persistent

Volume Slack Persistent Ephemeral Persistent

Partition Slack Persistent Ephemeral Persistent

Boot Sector in non-bootable partition Persistent Persistent* Persistent

Unallocated partition space Ephemeral – –

Bad-blocks Persistent Ephemeral Ephemeral

NTFS Cluster Allocation Bitmap Persistent Ephemeral Ephemeral

NTFS Alternate Date Streams Persistent Ephemeral Ephemeral

MFT and extremely small files Ephemeral – –

Superblock slack Persistent Persistent* Persistent

ExtX group descriptor slack Persistent Persistent* Persistent

Directory slack Ephemeral – –

Table 1: Relative Volatility of Data Concealment Areas (* see description for exceptions).

7 CONCLUSION

In recent times, the most prominent case in the media to utilise Computer Forensics,

with regards to locating obscured evidence in a data storage format, was the BTK

killings by Dennis Rader – subsequently apprehended in 2005. With general public

awareness constantly being raised by many popular forensic TV shows, the average

perpetrator would tend to be better informed – especially on deleting data on HDDs,

other storage media, and its ease of recovery by forensic investigators.

Forensic software such as AccessData’s Forensic Tool Kit (FTK) and Guidance’s

EnCase prove to be the more dominant commercial tools in the marketplace whilst

one of the most well known open-source alternatives is The Sleuth Kit (TKT). The

process of searching for hidden data is termed data carving and while these tools

offer better analysis of storage media up to around 250 – 300 MB in capacity, hunting

Research Examples on Computer Forensics (2009) Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK) email: [email protected] • blog: bsodmike.com • résumé: mwdesilva.com down hidden caches of information on the larger capacities available today would be

an incredible challenge considering that most manufactures are producing 1.5 TB

HDDs, whilst Western Digital in particular are touting 2 TB HDDs – that’s 1,500 GB

and 2,000 GB respectively; 300 MB represents 0.015% the capacity of a 2 TB HDD!

These tools alone simply allow accessing hidden data, but do not provide any means

around file encryption, compression, and steganography – although the list does go

on. It is evident that possible defences faced by a prosecuting investigator in modern

times are insurmountable, leaving the Computer Forensic industry at a serious

disadvantage whilst perpetrators continually polish their skills and the sophistication

of technologists on both sides of the law increases.

The solution lies in leaving behind the doctrine of strict signature based analysis of

storage media and looking at the research and development of intelligent heuristic

processes driven by neural networks and “fuzzy logic”.


REFERENCES

xxii Berghel, H. and Brajkovska, N. (2004) ‘Wading through Alternate Data Streams’,

Communications of the ACM, vol. 47, no. 4, pp. 21-27.

xxiii Berghel, H. and Hoelzer, D. (2006) ‘What Does a Disk Wiper Wipe when A Disk Wiper Does Wipe Disks’, Communications of the ACM, vol. 49, no. 8, pp. 17- 21.

xxiv Bidgoli, H. (2006) Handbook of Information Security, Hoboken, NJ: Wiley

Publishing, Inc. xxv Biryukov, A. and Khovratovich, D. (2009) Related-key Cryptanalysis of the Full

AES-192 and AES-256 http://www.schneier.com/blog/archives/2009/07/new_attack_on_a.html [Accessed 16 July 2009].

xxvi Carrier, B. (2005) File System Forensic Analysis, Upper Saddle River, NJ: Addison-Wesley.

xxvii Carvey, H. (2004) Windows Forensics and Incident Recovery, Upper Saddle River, NJ: Addison-Wesley.

xxviii Casey, E. (2004) Digital Evidence and Computer Crime, 2nd edition, London, UK:

Academic Press.

xxix Casey, E. (2002) Handbook of Computer Crime Investigation, London, UK: Academic Press

xxx CNSS (2003) National Policy on the Use of the Advanced Encryption Standard

(AES) to Protect National Security Systems and National Security Information http://www.cnss.gov/Assets/pdf/cnssp_15_fs.pdf [Accessed 15 July 2009].

xxxi Cole, E., (2003) Hiding in Plain Sight: Steganography and the Art of Covert

Communication, Hoboken, NJ: Wiley Publishing, Inc.

xxxii Daemen, J. and Rijmen, V. (2002) The Design of Rijndael: AES - The Advanced Encryption Standard, New York, NY: Springer Publishing Company.

xxxiii Douglas, J. and Dodd, J. (2008) Inside the Mind of BTK: The True Story Behind

the Thirty-Year Hunt for the Notorious Wichita Serial Killer, Hoboken, NJ: Jossey-Bass.

xxxiv Farmer, D. and Venema, W. (2005) Forensic Discovery, Reading, Massachusetts:

Addison-Wesley.

xxxv Gupta, M.R., Hoeschele, M.D. and Rogers, M.K. (2006) ‘Hidden Disk Areas: HPA and DCO’, International Journal of Digital Evidence, vol. 5, no. 1, pp. 1-8.


xxxvi Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J. and Felten, E.W. (2008) ‘Lest We Remember: Cold Boot Attacks on Encryption Keys’, Proc. 2008 USENIX Security Symposium.

xxxvii Mirza, F. (2008) ‘Looking for digital evidence in Windows’, International

Symposium on Biometrics and Security Technologies 2008, April, pp. 23-24.

xxxviii Nelson, B., Phillips, A., Enfinger, F. and Steuart, C. (2007) Guide to Computer Forensics and Investigations, 3rd edition, Florence, KY: Course Technology – Cengage Learning, Inc.

xxxix Smith, C. (2006) The BTK Murders: Inside the "Bind Torture Kill" Case that

Terrified America's Heartland, New York, NY: St. Martin’s Press.

xl US-CERT (2008) Computer Forensics http://www.us-cert.gov/reading_room/forensics.pdf [Accessed 16 July 2009].

Documents

Research Examples in Computer Forensics (Michael M. W. de Silva, 2009)